journalctl is a client app to query the systemd journal. Systemd journal is written by systemd-journald.service.
Let's sudo into root and we will study journalctl via examples.
[user@localhost ~]$ sudo su -
Last login: Sat Sep 13 11:57:55 CEST 2014 on pts/0
[user@localhost ~]# journalctl
-- Logs begin at Mon 2014-09-01 14:57:19 CEST, end at Mon 2014-09-15 10:52:52 CEST. --
Sep 01 14:57:19 localhost systemd-journal[146]: Runtime journal is using 8.0M (max 2.3G, leaving 3.5G of free 23.4G, current limit 2.3G).
Sep 01 14:57:19 localhost systemd-journal[146]: Runtime journal is using 8.0M (max 2.3G, leaving 3.5G of free 23.4G, current limit 2.3G).
Sep 01 14:57:19 localhost kernel: Initializing cgroup subsys cpuset
Sep 01 14:57:19 localhost kernel: Initializing cgroup subsys cpu
Sep 01 14:57:19 localhost kernel: Initializing cgroup subsys cpuacct
Sep 01 14:57:19 localhost kernel: Linux version 3.10.0-123.6.3.el7.x86_64 (builder@kbuilder.dev.centos.org) (gcc version 4.8.2 20140120 (Red Hat 4.8.2-16) (GC
Sep 01 14:57:19 localhost kernel: Command line: BOOT_IMAGE=/vmlinuz-3.10.0-123.6.3.el7.x86_64 root=UUID=bbbbbbbb-7777-465a-993a-888888888888 ro nomodeset rd.a
Sep 01 14:57:19 localhost kernel: e820: BIOS-provided physical RAM map:
...
...
...
Sep 15 10:57:00 foo.example.com sshd[23533]: Received disconnect from 123.123.123.123: 11: disconnected by user
Sep 15 10:57:00 foo.example.com systemd-logind[1161]: Removed session 9773.
Sep 15 10:59:04 foo.example.com sshd[23813]: Accepted publickey for foobar from 132.132.132.132 port 36843 ssh2: RSA 68:68:68:68:68:86:68:68:68:68:68:68:0
Sep 15 10:59:04 foo.example.com systemd[1]: Created slice user-1005.slice.
Sep 15 10:59:04 foo.example.com systemd[1]: Starting Session 9774 of user foobar.
Sep 15 10:59:04 foo.example.com systemd-logind[1161]: New session 9774 of user foobar.
Sep 15 10:59:04 foo.example.com systemd[1]: Started Session 9774 of user foobar.
Sep 15 10:59:04 foo.example.com sshd[23813]: pam_unix(sshd:session): session opened for user foobar by (uid=0)
lines 53881-53917/53917 (END)
As you may noticed, journalctl show all the logging since the system was booted until at this moment. So there are a lot of lines and data to be interpreted. So you might want to look into the parameters accepted for this application.
If you want to show most recent log, give -r. This will reverse the ordering by showing newest entries first. If you want to show newest ten lines, give -n as a parameter. Example journalctl -r -n 10
To show how much all these log take the disk space, give
--
disk-usage. Note that journal logs are stored in the directory /run/log/journal and not /var/log.If you want to show only log from a unit(service), give
--
unit. Example journalctl --
unit=sshd will show logging for sshd only. Very neat!Sometime you just want to monitor a certain range of date and/or time. You can append parameter
--
since and --
until. Example journalctl --
since="2014-09-14 01:00:00" --
until="2014-09-14 02:00:00" it will show all journal within that duration of 1hour. I think this is really good for system monitoring, system support or even during finding trace of compromised system.If you want the journal logs to appear in web interface, you can format the logging to a format the web application supported. As of this time of writing, journalctl supported the following format.
short | is the default and generates an output that is mostly identical to the formatting of classic syslog files, showing one line per journal entry. |
short-iso | is very similar, but shows ISO 8601 wallclock timestamps. |
short-precise | is very similar, but shows timestamps with full microsecond precision. |
short-monotonic | is very similar, but shows monotonic timestamps instead of wallclock timestamps. |
verbose | shows the full-structured entry items with all fields. |
export | serializes the journal into a binary (but mostly text-based) stream suitable for backups and network transfer (see Journal Export Format[1] for more information). |
json | formats entries as JSON data structures, one per line (see Journal JSON Format[2] for more information). |
json-pretty | formats entries as JSON data structures, but formats them in multiple lines in order to make them more readable for humans. |
json-sse | formats entries as JSON data structures, but wraps them in a format suitable for Server-Sent Events[3]. |
cat | generates a very terse output only showing the actual message of each journal entry with no meta data, not even a timestamp. |
json would probably comes in mind to display the logging on web interface.
There is also a feature known as Foward Secure Sealing where the log will be encrypted using a sealing key and the log can be verified using a verification key. You can check on parameter such as,
--
setup-keys --
interval --
verify --
verify-key. We won't cover FFS in this article, perhaps sometime in the future, I will devote an article on how to set this up.There are also many other good option that help you analyze the log using different strategy like -b, -p and logical operator but that this article should be able to give you a head start. You can find more information through journalctl manual.
No comments:
Post a Comment